Hash Disclosure - MD4 / MD5

This detector identifies MD4 or MD5 password hashes exposed in web server responses, HTML comments, JavaScript files, or error messages. The scanner recognizes the characteristic 32-character hexadecimal format of these hash algorithms and flags instances where cryptographic hashes appear in publicly accessible content. Disclosed hashes may represent password hashes, session identifiers, or other sensitive values that should remain server-side only.

Exposed password hashes enable offline brute-force and rainbow table attacks without triggering account lockout mechanisms. MD4 and MD5 are cryptographically broken hash functions vulnerable to collision attacks and rapid cracking using modern hardware. Attackers extract disclosed hashes and use precomputed rainbow tables or GPU-accelerated cracking tools to recover plaintext passwords within hours or days. Compromised credentials allow attackers to authenticate as legitimate users, escalate privileges, or pivot to other systems where users reuse passwords.

Remove all password hashes and sensitive cryptographic values from client-accessible responses including HTML, JavaScript, CSS, and API responses. Ensure error messages, debug output, and log files do not expose hash values. Migrate from broken MD4 and MD5 hash algorithms to modern alternatives like bcrypt, scrypt, or Argon2 for password hashing. Store password hashes exclusively in secure server-side databases with appropriate access controls. Review application code and database queries to prevent hash leakage through unintended data exposure. Use parameterized queries and sanitize database result sets before sending responses to clients.